1 A Report for University of California, Los Angeles RFI Risk Assessment 13 December 2010
2 RFI Risk Assessment University of California, Los Angeles 13 December 2010 Page i Table of Contents Executive Summary... 1 Approach... 2 Project Background... 3 Market Observations... 5 Findings... 7 Recommendations... 8
3 Page 1 of 12 Executive Summary
4 Page 2 of 12 Executive Summary Over the past several years, there has been a significant shift in higher education institutions moving student communities from in-house, largely open source systems to no-fee cloud services from Microsoft and Google. For reference, there are approximately 5,000 colleges and universities in the U.S., and a similar number of hospitals. Gartner estimates that about 35% (1,750) of higher education institutions currently use no-fee cloud services for students and another 15% (750) are likely to migrate to no-fee cloud services over the next 12 months. The split between Microsoft and Google is roughly 50/50. By and large, these no-fee cloud services have been an enormous success, allowing schools to move from legacy systems to rich suites of collaboration tools augmented with personal productivity applications, very large storage volumes and extensive mobile support. It is Gartner s experience that most organizations which have not moved to no-fee cloud services are contemplating such a move. Gartner has been engaged by the University of California, Los Angeles (UCLA) to determine the risks associated with obtaining cloud-based services as proposed in response to a Request for Information (RFI) previously issued by the University of California Office of the President. The risk assessment is intended to address the following: Potential risks associated with security, feature availability and service delivery Potential impact on the current Unified Communications and Collaborations (UCC) strategy (for a limited number of the campus locations) Risk mitigation strategies Gartner undertook an extensive review of the current environment needs and requirements of various user groups, market investigation, alternatives analysis and peer interviews. Based on this analysis, Gartner found that the risks for UCLA, compared with others, vary greatly based on each user group and its respective requirements. Gartner found that while students and alumni have manageable risks associated with security, feature availability, service delivery and UCLA s UCC strategy, the advantages of the proposed services improved collaboration and integration with personal services outweigh the risks for this user group. Nevertheless, implementation of a no-fee cloud service is not without costs and offers little in the way of financial savings. As such, Gartner recommends that any adoption of a no-fee cloud service be considered as a tactical solution to a tactical need, as opposed to a strategic solution targeted toward a specific strategic objective. Any contract for the service should reflect that tactical objective. Gartner found the risks for faculty, staff, graduate students that teach and the Medical school to be unacceptably high. Accordingly, Gartner believes UCLA would be better served by either internally investing in in-house collaboration and communications systems which have the potential to become an integral enhancement to the education process, or procuring these services from an external service provider using a procurement process focused on the unique needs of UCLA. Approach This assessment was undertaken as a collaborative effort among Gartner Consultants and Researchers with extensive knowledge of the industry trends and product development roadmaps of and UCC providers, along with experience in higher education and strategic sourcing.
5 Page 3 of 12 In addition to evaluating the potential risks associated with security, feature availability, service delivery and the potential impact on UCLA s current UCC strategy, Gartner s approach included an assessment of the RFI from the perspective of how well the RFI reflects the unique needs and requirements of UCLA and the risks associated with management of an external service provider. During the course of this assessment, Gartner reviewed the following documentation provided by UCLA: UCLA Communications Technology Services, Bruin OnLine Services, Service Level Agreement, June 2010 Interim UCLA Unified Communications Topology, June 2010 Follow-up to Communications Technology Services Enterprise Exchange Audit Report # , January 2010 Enterprise Messaging Services Overview Evaluation of Microsoft Services (Based on RFI Submission 1/19/10) DRAFT UCLA Communications Technology Services, Enterprise Messaging, Service Level Agreement, Campus Computing Council Outsourcing Task Force Survey and findings Student Survey and findings Graduate Student/Faculty Survey and findings UCLA Communications Technology Services, Strategic Plan Financial Supplement, FYs 2009/ /14, May 2009 UCLA Communications Technology Services Strategic Plan, FYs 2009/ /14, May 2009 University of California, Office of the President, Request for Information for Services, issue date 12/18/2009 UCOP Outsourcing Vendor Questions, February 16, 2010 Google Response to the University of California RFI for Services, 19 January 2010 UCLA IT Strategic Plan: , September 30, 2009 Microsoft Response to the University of California RFI for Services, January 15, 2010 During the assessment, Gartner interviewed over a dozen stakeholders within UCLA or involved in the procurement within the University of California system. In addition, Gartner participated in several workshops to identify stakeholder issues, concerns and opportunities. These issues, concerns and opportunities were then analyzed from the perspective of identifying root causes and assessing mitigation strategies as appropriate. Project Background At present, the UCLA environment provides accounts and supporting services to approximately 38,500 students and planned forwarding services for approximately 15,000 alumni and retirees. In addition, UCLA provisions services for approximately 6,500 academic
6 Page 4 of 12 personnel and 23,500 staff personnel. These services are delivered through a number of systems, the largest being Bruin OnLine (BOL), which provides services for name space. Currently, the UCLA Medical Enterprise supports approximately 24,000 Exchange accounts. The remaining accounts are supported via BOL or the campus exchange cluster. Figure 1 below depicts a summary of accounts. Figure 1. Summary of UCLA Accounts Undergraduate Students (general campus): 26,442 Undergraduate Students (health sciences): 245 Total number of Undergraduate Students: 26,687 Graduate Students (general campus): 9,515 Graduate Students (health sciences): 2,348 Total number of Graduate Students: 11,863 Academic Personnel (general campus): 4,800 Academic Personnel (with a mednet address): 1,794 Total number of academic personnel: 6,594 Staff Personnel (general campus): 11,933 Staff Personnel (with a mednet address): 11,614 Total number of Staff Personnel: 23,547 UCLA currently has the following four distinct user groupings within both the Campus Enterprise and the Medical Enterprise: (1) Alumni and retirees (2) Undergraduate students (3) Graduate students employed by UCLA (4) Faculty and staff Each of the four user group constituencies has unique technology needs, performance requirements and business goals. At one end of the spectrum, the alumni and retirees group finds little benefit from collaboration tools and has minimal performance expectations and business goals from UCLA services. Alumni and retirees are primarily interested in maintaining a communications linkage with UCLA. At the other end of the spectrum, Gartner found the faculty and staff constituency has a moderate (though increasing) desire to integrate and leverage unified communications and collaboration tools into their daily communications and education processes. These users require highly-reliable, customized features because the achievement of this constituency s business objectives can be directly impacted by unified communications and collaborations tools. Undergraduate and graduate students employed by UCLA have needs, requirements and goals that fall in between the two extremes mentioned above. As a result, Gartner s first critical finding from the user group interviews is that one solution does not fit all of the needs, requirements and goals of all of the user groups. The second key finding reflects the fact that UCC tools are a rapidly evolving technology with component life cycles that are much shorter than the traditional life cycles of communications products currently deployed and managed by UCLA. In fact, many UCC products are experiencing viral flashes of popularity where adoption and abandonment is exponentially faster than currently managed communications services; so fast that the product life cycle of
7 Page 5 of 12 UCC products are, on average, shorter than UCLA s product adoption and deployment cycles. UCC products with this type of viral popularity among students may come and go in the time it takes UCLA to establish a business case, undergo product selection, deployment, integration and security testing, trial, deployment and operational preparation using the University s Enterprise Architecture Planning methodologies. This is not a shortcoming of UCLA; in fact, Gartner believes UCLA is more capable than most other universities at introducing new products and services. Rather, it underscores the need to recognize that consumer UCC applications come and go with the same alacrity as other popular free applications. Perhaps a school within UCLA acting autonomously could adopt and leverage viral UCC products. Perhaps eventually UCLA will be able to adopt and leverage viral UCC products. But the thought of a coordinated governance structure within the entire University of California system acting to leverage viral UCC products is unlikely. The third finding recognizes the increasing adoption of consumer products in the business world. Both public and private sector clients are increasingly being forced to integrate consumer targeted products and services into the enterprise network. The adoption of iphones, ipads and wireless connectivity are prime examples of this movement, even though these products are recognized as having enterprise-level security flaws that create real security risks. Enterprises are being coerced to integrate these products within their networks because of the sheer benefit consumers find in using these products both in their personal lives and at work. Fortunately, universities have long been at the forefront in the adoption of the new technologies that students prefer to purchase and bring to campus. Many universities are now co-opting iphone or ipod technology by requiring students to own and use them to download podcasts of classroom lectures for subsequent replay. UCC-related technologies (of which the cellular smart-phone is easily the most prolific example) have been heavily adopted by students and they now envision UCLA will support their technology investments. Gartner research has found successful universities embrace new technologies while finding ways to leverage the capabilities of such technology to achieve the educational mission. The confluence of these findings - distinct user group requirements, rapidly evolving UCC technologies and the consumerization of technologies - are the lenses through which the findings of the RFI risk assessment were viewed. Market Observations Although services from both Google and Microsoft claim to be free, Higher Education Institutions should recognize that the services do not come without a cost. The institution will still need to integrate (and maintain) the service with portals, directories and sign-on mechanisms. Institutions also must maintain the directory and work with the vendor on level two and three help desk issues and supply bandwidth for Internet connectivity. They may also provide level one help desk services to users. In Gartner s review of UCLA s financial analysis, UCLA included a realistic estimate of these expenses. Gartner concurs with the financial analysis findings that UCLA will experience diminutive cost savings from transitioning students and alumni to the free services of either Google or Microsoft. The following highlights are from Q&A:.edu CIO Top Questions About No-Fee Services, 30 November 2010, Matthew W. Cain. Is there an advantage of one vendor over the other? This is a matter of requirements and preference. Some institutions have campuswide contractual agreements with Microsoft for a number of products and the faculty and staff may wish to continue that, so the offering would be preferred. Or the
8 Page 6 of 12 institution might want to run a hybrid deployment of Exchange 2010 on premises for faculty and staff, and a cloud version of Exchange for students. On other campuses Google Apps are in widespread use and would be preferred. Other than local choice, there appears to be no overwhelming advantage for one of these providers over the other. They are remarkably similar in terms of support, integration services, feature sets, uptime and salesmanship. Individual institutions may experience distinct differences between sales teams, but that is typically a geographic anomaly, not a factor that can be generalized. The vendors are in rigorous competition with each other, often time scrambling to add features that the other does not, to the significant advantage of the.edu community Are there serious issues regarding taking faculty and staff to these providers too? The overwhelming majority of schools use no-fee services exclusively for students and alumni. It is rare to see staff and faculty on a no fee service the primary reasons are often ill-defined objections about security and privacy. If this is the case, we recommend developing an extremely granular list of specific security and privacy concerns and then reviewing the concerns with the vendor. Often we find that the vendor can do a more-than-adequate job of responding to these concerns. The more concrete objections have to do with archiving and discovery. The legal perspective may be concerned about its ability to archive mail and respond to court-ordered hold requests. In the case of Google, institutions are able to turn on a fee-based Postini archive service that can provide archive and some discovery support (at a cost of $1 to $2 per user per month). With Microsoft's new Office 365 program, schools will be able to turn on fee-based archiving when the program goes to general availability, likely in 2Q, 11, for a fee similar to that of Google. Current customers can use the fee-based Exchange Hosted Archive service. Overall, however, as the no-fee services mature, we expect to see many institutions bring faculty and staff over to the student service. But like any cloud service, organizations give up some control due to the nature of the provisioning model. The ability to troubleshoot and resolve problems quickly can be hampered by lack of university support personnel access to servers. The ability to conduct forensics and pull reports is also limited compared to on-premises deployments. And the service-level agreements 99.9% uptime for both (or 42 minutes of downtime a month) lack a financial penalty for noncompliance since the service is no fee. Can I be assured that the providers won't do a short-term bait and switch and begin charging the institution for the accounts? These providers preserve the option in future contracts for charging for services, but they also provide for a long notice period so there won't be any short term bait and switch issues. The intense competition between the vendors ensures, however, that a no-fee option will be available for the next several years. The vendors benefit from offering no-fee services in three key ways: It helps them better prepare their offerings for commercial deployments (Microsoft, for example, ran Exchange 2010 for the.edu community for years before it rolled it out to enterprises). It exposes students to the vendor product line, with the hope that the student carries that preference as they move into the business world.
9 Page 7 of 12 Findings It generates advertising revenue once the student graduates. Graduates represent a highly desirable demographic. We speculate that the vendors may offer a revenue-sharing agreement with the institution for advertising to graduates. Where the vendors will monetize their.edu customers is by extending the platform with fee-based services such as archiving, encryption and mobile services. The assessment of the RFI revealed that the potential risks associated with security, feature availability and service delivery have been adequately identified, assessed and addressed either during the RFI process or through independent research, testing and provider commitments made during the RFI process. Firstly, Gartner believes the RFI process has demonstrated that an external service provider whose product includes enhanced UCC capabilities integrated with consumer grade services may be of substantial benefit to the students and alumni user group at UCLA. This includes the Google services proposed in response to the RFI. But the lack of potential integration with UCLA s enterprise architecture products and services make Google s services less than desirable for other user groups. Secondly, Gartner believes the RFI process has demonstrated that an external service provider whose products include enhanced UCC capabilities and comply with UCLA s enterprise architecture products and standards may be a benefit to the faculty, staff and graduate students who teach at UCLA. These users require a high level of integration with existing education and communications applications; a change to a UCC platform cannot be taken without reassessing the impact on UCLA s enterprise computing architecture. Products that could meet the needs of the faculty, staff and graduate students who teach include the Microsoft Business Productivity Solutions proposed in response to the RFI. Lastly, the RFI process demonstrated that an external service provider can meet the high levels of security requirements of a medical enterprise like the UCLA Medical Sciences group. Gartner has found that many external service providers have contracted with hospitals and other institutions with comparable regulatory requirements. Although Gartner does not believe either Google or Microsoft Business Productivity Online Standard Suite (BPOS) services are currently suitable for the UCLA Medical Sciences group, Gartner has repeatedly found external providers could meet the needs of UCLA Medical Sciences group. The responses to the RFI and Gartner s market insight indicate that external service providers offer a breadth of services that can meet the unique needs of the various user groups at UCLA. But is adopting an external service provider the right decision for UCLA? Gartner believes the answer could be a qualified yes for students and alumni and based on the responses to the RFI a no for the other user groups. For the faculty, staff, graduate students that teach and the UCLA Medical Sciences group, the no recommendation is based on the fact that the solutions proposed in response to the RFI do not meet the functional requirements of these user groups. If UCLA is interested in obtaining an external service provider for these user groups, then UCLA should purposefully craft a Request for Proposal (RFP) that seeks to obtain services which fit the unique needs and requirements of these user groups. But Gartner would caution UCLA that the cost for these services as provided by an external service provider may exceed the current costs for internally provisioning such services as demonstrated when Gartner compared the current costs for provisioning the services with the market price for comparable services.
10 Page 8 of 12 The no recommendation, however, comes with its own set of risks. Gartner is increasingly finding that many users of corporate systems feel compelled to use Web-based to transfer documents because internal systems may not be up to the job internal mailbox sizes are limited, file attachment sizes and types are restrictive, and access to files is not easily available from outside the corporate network. In an educational landscape, where remote working is common, access to information is essential. Collaboration among individuals working as part of virtual teams requires that information be shared effectively. When internal collaboration tools and environments fail to provide the necessary functionality, users fall back on the growing number of freely-available external tools and services that are targeted to consumers and provide the easy-to-use functionality they crave. But using these external collaboration tools introduces a variety of risks, such as: Unrecoverable deletions of critical files (through user error, provider error or failure). Corporate systems are generally backed-up offline. Loss of or inability to access documents related to the work-in-progress on projects. Dispersion of the collaborative knowledge base or work-in-progress project components. Loss of confidentiality regarding sensitive data (due to user actions - deliberate or accidental-, a provider's technology failure or administrative failure, or external attacks). Can the enterprise disable the account, but retain access to corporate information if an employee leaves the company? Inability to deliver business records against an e-discovery request. Inability to adequately investigate inappropriate activities or suspected crimes. Potential loss of information when workers are terminated or leave. The volume of and collaboration using external tools has created a huge repository of intellectual property and valuable work-in-progress within external databases outside of the control of UCLA. Gartner recognizes that the majority of these users are not specifically trying to break security; rather, they are simply trying to get their jobs done in the absence of comparable tools from the enterprise. Gartner strongly recommends that UCLA mitigate these risks through systemic and systematic investments in internal collaboration tools tools that highly align with, and support the educational mission of the University. Regarding the qualified yes recommendation for students and alumni, Gartner does not see substantial risks associated with transitioning from internally provisioned services to the free services of Google or Microsoft. On the contrary, students and alumni could benefit as a result of the capabilities and the prevalence of consumer use of Google by students and alumni. Our concerns with adopting Google reflect the lack of a motivating financial business case and the real possibility that today s hot product may become tomorrow s castaway. A prime example is the fact that the number of people using Yahoo have greatly diminished since Google entered the free market place. Will Facebook s new and social collaboration products displace Google as the most popular service over the next couple of years? UCLA should clearly identify the decision criteria for entrance and exit of this and the subsequent provider relationship and then manage to those principles. Recommendations UCLA students and alumni would benefit if UCLA adopted the free services proposed for alumni and students. Any contract for services should be considered a tactical solution not a
11 Page 9 of 12 strategic solution to providing a service. UCLA should be prepared to transition providers again, should UCLA find a tactically or strategically compelling alternative. UCLA faculty, staff, graduate students that teach and the Medical school have little to gain from adopting the services proposed in response to the RFI. Gartner recommends that UCLA consider tactical and strategic investments for collaboration tools for this user group, either through the deployment of internal capabilities or through the investment in services offered by an external provider resulting from a university-centric procurement. Regardless of the solution selected for the individual user groups, the availability and attractiveness of consumer alternatives to the collaboration tools of UCLA will result in a continued increase in adoption of the consumer alternatives. Gartner recommends that the CIOs consider the following actions: Understand the scope of the current usage of Web-based services and patterns of behavior regarding the attachment of corporate intellectual property. Educate the rest of the business so that all associates have the ability to evaluate the real business risks being incurred and determine whether or not they are acceptable. If not, then CIOs should determine an appropriate course of corrective actions. Publicize acceptable alternatives for moving information around (such as using SharePoint or other portals, FTP services or secured removable media), but critically evaluate them from the user's point of view. Are they easy to use, effective and reliable? If they take longer to use than simply attaching a file to an message and sending it, then they need to be addressed. Review internal limits on corporate systems, mailbox sizes, attached file types and size limits. Are they adequate for a rich media environment? Re-evaluate existing internal storage models and network and server topologies to identify ways to expand available storage and other features without raising overall operating costs. Consider the use of encryption systems to secure any document being attached to an e- mail message - where the recipient would also have access to the necessary decryption keys. Examine policies relating to mobile devices and the extent to which these policies support users' expectations.
12 Page 10 of 12 Any questions regarding this report should be addressed to: Steven Buckley Vice President Gartner, Inc. Telephone: